Summary
Soda Core fails to run in FIPS-enabled environments due to the use of hashlib.blake2b, which is not FIPS 140-2 compliant and is therefore disabled in these environments.
Error
When attempting to use Soda Core with FIPS mode enabled (e.g., on hardened Linux systems), the following error is thrown:
TypeError: 'digest_size' is an invalid keyword argument for this function
This happens because blake2b is unavailable in Python under FIPS mode.
Affected Code
The use of hashlib.blake2b appears in multiple places in the codebase for purposes like hashing identifiers or computing fingerprints.
Proposed Solution
Introduce a utility function such as fips_safe_hash() that:
- Uses
hashlib.blake2b() when available.
- Falls back to
hashlib.sha256() with truncation when in FIPS mode.
import hashlib
def fips_safe_hash(data: bytes, digest_size=32) -> bytes:
try:
return hashlib.blake2b(data, digest_size=digest_size).digest()
except (TypeError, ValueError, AttributeError):
return hashlib.sha256(data).digest()[:digest_size]
Then replace all hashlib.blake2b(...) calls with this wrapper to ensure compatibility in both FIPS and non-FIPS environments.
Summary
Soda Core fails to run in FIPS-enabled environments due to the use of
hashlib.blake2b, which is not FIPS 140-2 compliant and is therefore disabled in these environments.Error
When attempting to use Soda Core with FIPS mode enabled (e.g., on hardened Linux systems), the following error is thrown:
TypeError: 'digest_size' is an invalid keyword argument for this function
This happens because
blake2bis unavailable in Python under FIPS mode.Affected Code
The use of
hashlib.blake2bappears in multiple places in the codebase for purposes like hashing identifiers or computing fingerprints.Proposed Solution
Introduce a utility function such as
fips_safe_hash()that:hashlib.blake2b()when available.hashlib.sha256()with truncation when in FIPS mode.